TSC Trusted Advisors’ Blog

The 4 Horses of the Cyber Apocalypse

OK, calling it the apocalypse may be a bit alarmist – unless you’re a victim of evolving cyber crime. It’s really sad when it’s the very government and utilities that you rely on for live giving services that work erode your privacy and security. So, four events occurred to spur me on to write this entry. I didn’t connect the dots until recently. Few things scare me but this situation is one of them.

The first event: A few weeks ago there was a knock at the door at home. When I answered there was a well-dressed young man with a clipboard and a very official looking ID and permit hanging from his neck. He introduced himself and said he worked for a local alarm company called ABC security. I told him I had an alarm and the next question shocked me: he asked me if I knew which of my neighbors didn’t have alarms! He said it would save him a bunch of time instead of going door-to-door. I told him that all my neighbors had alarms and bid him good day. The door wasn’t even closed before I was speed-dialing SJPD. When the cops showed up 10 minutes later there was no sign of my well-dressed sales person. That was a few weeks ago.

The second event: Early last week one of my neighbors approached me while I was unloading my car after a session of Death-by-Costco. She was very serious and obviously very agitated. She kept looking around as if she expected to be followed. Once I heard her story I understood her agitation: her house had been burglarized the week before.

The third event: Last week the Silicon Valley chapter of the ISSA had their monthly meeting (3^rd Tuesday of each month) and at the end of the meeting one of the members quite angrily wanted to know why industrial security wasn’t on the list of important security trends for the chapter in 2010.

The fourth event: I got a notice from PG&E that they were going to install a smart meter on my house and that if I had an issue with it that was too bad. OK, they were “politically correct” when they said it but how many ways can you say “tough nuts”?

So what’s the connection?

Allow me to digress for a bit. Back in the pre-Internet days, when someone wanted to steal your identity they had to do a lot of legwork. They had to research people, family, friends, jobs, life and death, and it took time. A lot of it. Now, criminals can take advantage of aggregated information and stealing identities has become a small criminal industry within the greater scheme of Internet crime.

Getting back to my well-dressed perp, he was casing the neighborhood and relying on the good nature of people to collect information about their neighbors. He took his information and used it to craft a burglary plan that, after 8 break-ins, seems to have been pretty successful. Even in light of the fact that there are photos of the perps and their car, SJPD has yet to apprehend a suspect.

Now toss in the anonymity that the Internet supplies, shake in a few network and application vulnerabilities, sprinkle in a few million smart meters, and you have a recipe for more disaster. Smart meters are those meters that the power companies are trying to install on peoples homes to control power usage during high peak loads so the ancient and neglected power grid doesn’t collapse during said high loads. The advantage to power customers, according to the marketing, is that they can track their usage over the Internet! Yay! (That was the criminals cheering BTW)

Now criminals don’t have to risk getting caught on the streets, they can case your house from the safety of their criminal lair! Or their parents house…or where ever they’re living.

TSC analyzed an RFQ from a major power supplier regarding smart meters and the supporting infrastructure and came to the conclusion that power companies still don’t have a clue about security. It’s the next step in the chain of cyber crime – remote casing of your home using the very web sites that the power companies are using to convince customers that smart meters are a good idea.

I’m upgrading my alarm tomorrow and then I’m calling my power company to tell them to get their security act together. Perhaps you should too.